heartbleed patterns ?

[mike tancsa]

On 4/9/2014 5:57 PM, Carter Bullard wrote:
>
> So, long lived connections, low source load values, after the
> TLS handshake, and large dst byte counts for the memory dumps,
> all in the clear.

Hi Carter,
	This seems to make sense.  I think the challenge is that this also 
describes established imap sessions-- it doesnt have to be https traffic 
no ?   Unfortunately, I only have argus records without any user content.

Thinking aloud, I wonder what the best way to compare imap and http logs 
to argus data.  Normal imap traffic for example would show up in the 
applications logs.  However, an attacker, would not, or would just show 
up as a connect.  Perhaps thats a start.  Look for all connect errors like

dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, 
rip=64.x.x.x, lip=64.y.y.y, TLS handshaking: Disconnected

and see if there were any large flows for the connecting IP.

Hmmm, thats a lot of cross referencing :)

Unfortunately, apache does not seem to log such connections :(  I guess 
I would have to look a different way.  Find all the large connections in 
argus and look for corresponding httpd-log entries ?

	---Mike